Foiling Medical Implant Hackers

PORTLAND, Ore. — The increasing proliferation of medical implants that can be programmed wirelessly, such as pacemakers, insulin pumps, defibrillators, neural implants, and drug delivery systems, has prompted concern that hackers could gain access and harm a patient.

Now researchers at Rice University claim to have an answer. Called Heart-to-Heart (H2H) the novel cryptographic technique uses the patient's own heartbeat as a random number generator. It will be presented at the upcoming Association for Computing Machinery (ACM) Conference on Computer and Communications Security (November 4-8, Berlin).

Today, reprogramming medical implants are performed in the doctor's office where security is not a concern. Traditional cryptographic techniques can be used for secure access to implants there, but, according to the Rice researchers, hackers could gain wireless access to implants outside the doctor's office by breaking those techniques. Sophisticated, traditional cryptography could be used, but that would tax the processing power of the implant's microcontroller and run down its battery. H2H, on the other hand, is designed to be easy on computing resources and yet more secure than traditional cryptography.

In essence, the technique derives a random password from the heartbeat of the patient that can only be computed when touching the patient. Called touch-to-access by the researchers, they claim touching is important, since hackers could determine the rough outline of a heartbeat remotely with special cameras. After touch-to-access derives the random password from the patient's heartbeat, a novel pairing protocol then uses that password, which is separately calculated by the implant's microcontroller, to establish a secure wireless connection between the doctor's programmer and the implanted medical device (IMD).

"We have shown that the heartbeat has enough randomness to be used as a random number generator," professor Farinaz Koushanfar at Rice University told EE Times. "The IMD, which is inside the body, can record random bits in a heartbeat in the short-time interval that the access is happening, and the person who is accessing the IMD can also record the heartbeat."

Koushanfar went on to explain:

For 12 seconds the person who has access to the patient with the IMD device records the same random number as the IMD device is recording, and then they go through a cryptographic pairing. But what is significant about this cryptographic pairing is that we have shown it is resilient against all sorts of attacks. There have been approaches that tried this earlier, but earlier work has shown that those approaches could be broken.

Today millions of medical implants are in use, many of them with unsecured wireless access, but the Rice researchers claim their algorithm is simple enough to be incorporated even into legacy IMDs by simply updating their firmware. The researchers are currently in informal discussions with IMD makers to license them their H2H technology.

Professor Farinaz Koushanfar (left) at Rice University and doctoral candidate Masoud Rostami (right) created a system to secure implantable medical devices like pacemakers and insulin pumps from wireless attacks.
(Source: Jeff Fitlow/Rice University)

In their ACM presentation in Berlin, the researchers, who include doctoral candidate Masoud Rostami, will describe H2H and the touch-to-access protocol, which they have implemented on an ARM Core M-3 microcontroller.

Also contributing to the development effort was independent security analyst, and former director of RSA Laboratories in Cambridge, Mass., Ari Juels. Funding was provided by the Office of Naval Research and the Army Research Office.

So far most of the hacking has been done by engineers trying to prove that it is possible, so that the companies making the implants will be forced to provide security before it becomes a problem. Many security techniques have been proposed, which prompts engineers to by to crack those protection schemes--just to prove that they are crackable However, I don't know of any serious incidents of malicious hacking of an implant inside a person to harm that individual.

Hello everyone, please excuse me to interrupt the middle of the conversation. I am Debby, a student studying in journalism from Taiwan. I wold like to write an article about this, due to the lack of medical background, I want to ask: Is hacking implanted medical device a serious issue in the State?

By going wireless all we are trying to do is prevent another minor surgery to operate device, and easing out reprograming. Touching doesn't defeat the purpose of wireless in medical equipment. I dont think we can consider it as step back.

You make a good point. The implant industry is increasingly going wireless, so in that sense requiring touch for 12 seconds in order to establish a secure connection is a bit of a step back, although in the doctor's office it probably would not be much of an inconvenience.

Just because there is an Internet of Things doesn't mean that my medical device has to be on it. There are plenty of non-contact options that obviate this kind of attack. If you are requiring that an authorized reader be in touch contact with the patient, why one of those? WiFi, Wi-Max and Bluetooth aren't the only things out there.

Hacking a pacemaker is something that has been researched and proven to be possible. The problem is though, it is a lot of effort when a good EMP would do the job just as well. there just isn't much benefit to hacking them.

prabhakar_deosthali re: "I am just imagining a scenario where the hacker hijacks a high profile person"

The hacker would have to be touching the person with an ECG probe for 12 seconds to successfully "hijack" the random number and then negociate a secure wireless connection--which doesn't seem long, but if you count it down on a clock seems much longer. Nevertheless, I do see your point that some scenario could make that possible.

Indeed, this seems like a cool idea...but as we all know too well, most device makers won't do much about the so-called security (even though they should), until some truly traumatic and tragic accidents happen.